Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiWeb 7.6.1 Administration Guide
    7.6.1
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.10
    7.0.9
    7.0.8
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    Creating a trigger

    Creating a trigger

    Define the events to trigger the system to take actions. You can define the "FortiWeb Log" trigger event or use the pre-defined triggers including low memory, HA failover, reboot, etc.

    FortiWeb supports the following triggers.

    Trigger

    Description
    System triggers
    Reboot The "Reboot" trigger detects whether the system reboots.
    Low memory The "Low memory" trigger detects whether FortiWeb's available memory is less than the value specified in Log&Report > Log Config > Other Log Settings > Memory Utilization.
    HA

    The "HA" trigger detects whether the following HA events occur:

    • HA_SWITCH (Event log ID = 11004101)

    • HA_SYNC (Event log ID = 11004102)

    • HA_MEMBER (Event log ID = 11004103)

    • HA_REBOOT (Event log ID = 11004104)

    • HA_RESTORE_CONF (Event log ID = 11004105)

    • HA_RESTORE_IMG (Event log ID = 11004106)

    • HA_UPDATE (Event log ID = 11004107)

    • HA_MONITOR_PORT (Event log ID = 11004108)

    High CPU

    The "High CPU" trigger detects whether the CPU usage of FortiWeb is higher than the value specified in Log&Report > Log Config > Other Log Settings > CPU Utilization.

    Refer to Use case: Real-time incident alerts for an example of the High CPU use case.

    Local Certificate Expired

    The Local Certificate is used to encrypt the HTTPS connections between:

    • Your users and FortiWeb;

    • FortiWeb and the back-end servers;

    • The admin users and FortiWeb's GUI

    If the certificate expires, users will see a certificate invalid warning.

    To avoid such warning messages displayed to users, you can use a "Local Certificate Expired" trigger to detect whether the certificates you have uploaded on the following pages are about to expire then update them in time:

    • The CA tab on Server Objects > Certificates> CA.

    • The Local tab on Server Objects > Certificates> Local.

    • The Admin Cert Local tab on System > Admin > Certificates.

    FortiWeb by default doesn't log the SSL certificate expire event. Therefore, to use this trigger, you need to run the following command to set the notification time (the days) to a value other than 0 (0 means disabled), so FortiWeb will send notification on the specified day before the certificate expires.

    config system global

    set cert-expire-check-time <integer>

    end

    Refer to Use case: Expired SSL certificate management for an example of the use case.

    License Expired

    The "License Expired" trigger detects whether the FortiWeb license expires.

    Please note that if the network of FortiWeb is disconnected over 48 hours, it will also trigger the "License Expired" event.

    Refer to Example: Notification Message for the "License Expired" trigger for the suggested message to be sent when "License Expired" trigger occurs.

    FDS DB updates

    This trigger detects whether FortiGuard Database (FDS DB) Update occurs. The FortiGuard Database provides up-to-date threat intelligence.

    When an FDS DB update occurs, go to the Signature Update Management tab on System > Config > FortiGuard. The newly added or updated signatures are listed there and are set to alert mode by default. Test the signatures first to ensure they don't trigger false positives or block legitimate traffic. Once deemed safe, select the signature and click Approve.

    Refer toUse case: Automated response to FortiGuard Database (FDS DB) updates for an example of the use case.

    Miscellaneous triggers
    FortiWeb Log

    Use this trigger to initiate the automation action when system prints certain even logs or attack logs.

    Refer to the following use cases.

    Schedule

    Use this trigger to schedule FortiWeb to take certain actions regularly. For example, run get system status every week at 1 am on Monday.

    All the System triggers are pre-defined. You can only enter a name and description for them. The configuration is straightforward so we will not elaborate on it.

    In the following sections, we will introduce how to create the two triggers that have more complicated settings:

    When the trigger occurs, it's important to provide sufficient information in the notification sent to your security or IT team so that they can take appropriate actions. We have provided some example of the messages for your reference: Notification message examples.

    Previous
    Next

    Creating a trigger

    Creating a trigger

    Define the events to trigger the system to take actions. You can define the "FortiWeb Log" trigger event or use the pre-defined triggers including low memory, HA failover, reboot, etc.

    FortiWeb supports the following triggers.

    Trigger

    Description
    System triggers
    Reboot The "Reboot" trigger detects whether the system reboots.
    Low memory The "Low memory" trigger detects whether FortiWeb's available memory is less than the value specified in Log&Report > Log Config > Other Log Settings > Memory Utilization.
    HA

    The "HA" trigger detects whether the following HA events occur:

    • HA_SWITCH (Event log ID = 11004101)

    • HA_SYNC (Event log ID = 11004102)

    • HA_MEMBER (Event log ID = 11004103)

    • HA_REBOOT (Event log ID = 11004104)

    • HA_RESTORE_CONF (Event log ID = 11004105)

    • HA_RESTORE_IMG (Event log ID = 11004106)

    • HA_UPDATE (Event log ID = 11004107)

    • HA_MONITOR_PORT (Event log ID = 11004108)

    High CPU

    The "High CPU" trigger detects whether the CPU usage of FortiWeb is higher than the value specified in Log&Report > Log Config > Other Log Settings > CPU Utilization.

    Refer to Use case: Real-time incident alerts for an example of the High CPU use case.

    Local Certificate Expired

    The Local Certificate is used to encrypt the HTTPS connections between:

    • Your users and FortiWeb;

    • FortiWeb and the back-end servers;

    • The admin users and FortiWeb's GUI

    If the certificate expires, users will see a certificate invalid warning.

    To avoid such warning messages displayed to users, you can use a "Local Certificate Expired" trigger to detect whether the certificates you have uploaded on the following pages are about to expire then update them in time:

    • The CA tab on Server Objects > Certificates> CA.

    • The Local tab on Server Objects > Certificates> Local.

    • The Admin Cert Local tab on System > Admin > Certificates.

    FortiWeb by default doesn't log the SSL certificate expire event. Therefore, to use this trigger, you need to run the following command to set the notification time (the days) to a value other than 0 (0 means disabled), so FortiWeb will send notification on the specified day before the certificate expires.

    config system global

    set cert-expire-check-time <integer>

    end

    Refer to Use case: Expired SSL certificate management for an example of the use case.

    License Expired

    The "License Expired" trigger detects whether the FortiWeb license expires.

    Please note that if the network of FortiWeb is disconnected over 48 hours, it will also trigger the "License Expired" event.

    Refer to Example: Notification Message for the "License Expired" trigger for the suggested message to be sent when "License Expired" trigger occurs.

    FDS DB updates

    This trigger detects whether FortiGuard Database (FDS DB) Update occurs. The FortiGuard Database provides up-to-date threat intelligence.

    When an FDS DB update occurs, go to the Signature Update Management tab on System > Config > FortiGuard. The newly added or updated signatures are listed there and are set to alert mode by default. Test the signatures first to ensure they don't trigger false positives or block legitimate traffic. Once deemed safe, select the signature and click Approve.

    Refer toUse case: Automated response to FortiGuard Database (FDS DB) updates for an example of the use case.

    Miscellaneous triggers
    FortiWeb Log

    Use this trigger to initiate the automation action when system prints certain even logs or attack logs.

    Refer to the following use cases.

    Schedule

    Use this trigger to schedule FortiWeb to take certain actions regularly. For example, run get system status every week at 1 am on Monday.

    All the System triggers are pre-defined. You can only enter a name and description for them. The configuration is straightforward so we will not elaborate on it.

    In the following sections, we will introduce how to create the two triggers that have more complicated settings:

    When the trigger occurs, it's important to provide sufficient information in the notification sent to your security or IT team so that they can take appropriate actions. We have provided some example of the messages for your reference: Notification message examples.

    Previous
    Next